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Growth of Connected Devices - Internet of Things 



Total 500 Million 



Total 35 Billion 



Total 50 Billion 




l/10 th of a Device per 
Person on Earth 


5 Devices per 
Person on Earth 


7 Devices per 
Person on Earth 




2007 


2010 


2013 


i i 


Source: Forrester Research, Cisco IBSG 
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Introducing IPv6 



IPv4 4.3 Billion IP addresses 



IPv6 340282366920938463374607 
432768211456 IP addresses 
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Introducing IPv6 



1 IP addresses per 

water drop on this 

earth...a Trillion 




100 IP addresses 

for every Atom on 

this Earth 




IPv4 equals an 

Atom. ..IPv6 equals 

80 ton 
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Other IPv6 adoption drivers 



Mandated e.g.Australia's AGIMO IPv6 strategy 

Research environments e.g. Australia's GrangeNet 

End-to-end packet integrity : effective security and 
enhanced application experience for peer-to-peer 
connections e.g. Telephony and Video 
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IPv6 Adoption 
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Why you should care about IPv6 Security now 



Most networks have already (partially) deployed IPv6 
You will likely perform a deployment in the near term 
You may communicate with IPv6 systems (via transition/co- 
existence technologies) 
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State of IPv6 Security 



Less experience/knowledge with IPv6 
IPv6 implementations are much less mature 
Security products less support for IPv6 
Transition increases complexity : 

• Dual Stack (IPv4 and IPv6) 

• Increased use of NATs 
Increased use of tunnels 
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IPv4 and IPv6 Header Comparison 



IPv4 Header 



IPv6 Header 




Type 
Service 



Identification 



Flags 



Fragment 
Offset 




Payload Length 



Next 
Header 



Time to Live Protocol 



Source Address 



Destination Address 



Header Checksum 



Options 


■ 









Padding 



ce Address 



stination Address 



| | Field's Name Kept from IPv4 to IPv6 | | Name and Position Changed in IPv6 

| | Fields Not Kept in IPv6 | | New Field in IPv6 



Extension Header- RFC 2460 

■ Consists of an IPv6 header chain and an (optional) payload 

■ Extension Header is encoded as TLV (Type-Length-Value) 

■ Any number of instances of any number of different headers 
are allowed 

■ Each header can contain an arbitrary number of options 

■ Large number of headers/options have a negative impact on 
inspection performance 

t It may be impossible to "identify" which "type" of packet a 
specific fragment belongs to. ,, 
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Extension Header - Route Header type Threat 

■ RH=0 provides similar functionality to that of IPv4 source 
routing 

• Can be leveraged to make packets bounce between network addresses 

• Higher impact due to some hosts "forwarded" them 

■ Attacker creates payload (A->B->A-B..) resulting in packet loop 
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Extension Header- Route Header type Mitigation 

■ Apply same policy for IPv6 as for Ipv4: 

Block Routing Header type 

■ Prevent processing at the intermediate nodes 

no ipv6 source-route 

Windows, Linux, Mac OS: default setting 

■ RFC 5095 (Dec 2007) RHO is deprecated 



I ■ Caution required - default enable prior to 2007 
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IPv6 Extension Headers and Upper Layer Protocols 




Extension Header 


Type 


Remarks 






Hop-by-hop Options 


O 


used for options that apply to intermediate routers 






Routing 


43 


used for source routing 




Fragment 


44 


processed only by the final recipient 




Destination Options 


60 


used for options that apply only for the final recipient 




Authentication header (AH) 


51 


used for IPsec integrity protection 




Encapsulating Security Payload 
(ESP) 


50 


used for IPsec integrity and confidentiality protection 




Mobility 


135 


used for managing mobile IPv6 bindings 




Protocol 


Type 


Remarks 






TCP 


6 


protocol type for Transmission Control Protocol 


ml 




UDP 


17 


protocol type for User Datagram Protocol 




IPv6-in-IPv6 


41 


protocol type for IPv6 in IPv6 tunnels 




GRE 


47 


protocol type for Generic Routing Encapsulation tunnels 




ICMPv6 


58 


protocol type, Internet Control Message Protocol for IPv6 




No next header 


59 


dummy packet, often used with ESP 


■ 


OSPF 


89 


protocol type, Open Shortest Path First version 3 routing 
protocol 




PIM 


103 


protocol type. Protocol Independent Multicast routing 






SCTP 


132 


protocol type. Stream Control Transmission Protocol 


1 1 -"• 
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m. 




■ 1 1 i ■ ■ 1 1 ■ 

CISCO 



IPv4 Protocol Stack - The relevant bits 




^^^^^^^^^^^^^^^^H HTTP 


UDP 1 


ICMP 




^^^^^^^| DHCP 1 HTTP 


^^^^^^^1 ^1 TCP 


ARP Internet Protocol v4 


\ - 32 bits 




Link Layer 








Physical Layer 
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IPv6 Protocol Stack- More than just 128 bits 




^^^^^^^^^^^^^^^^H HTTP HHH 


I MLD I MRD 1 

ICMP 


^^^^^^^| DHCP 1 HTTP ^H NDP 


^^^^^^^| TCP UDP 


^H ARP 1 Internet Protocol v6 - 128 bits 




Link Layer 


^BM 




Physical Layer 


■ 
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IPv6 Protocol Stack- New kids on the block 




Neighbor Discovery protocol 




Multicast Listener Discovery protocol 




Multicast Router Discovery 
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Neighbour Discovery replaces ARP 



1 NDP 

■ r ^i 


■ 

■ 


RPi\lih^H 





Find the link-layer addresses of nodes on the local link - 
uses a mix of ICMPv6 messages and multicast addresses, 

Stateless Auto-Configuration - allows nodes on the local 
link to configure their IPv6 addresses by themselves by 
using a mix of ICMPv6 messages and multicast 
addresses. 

Five different packet types: 

• Router Solicitation - Router Advertisement 

• Neighbour Solicitation - Neighbour Advertisement 

• Redirect message 
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Neighbor Discovery - Stateless Autoconfiguration 

Router Solicitations Are Sent by Booting Nodes to Request Router 
Advertisements for Stateless Address Auto-Configuring 



JH_ 


V s' 


■* ^ . .*/. 


I 1. RS 



2. RA 



RA: 






Src = :: 

Dst = All-Routers multicast Address 

ICMP Type = 133 

Data = Query: please send RA 



Src = Router Link-local Address 

Dst = All-nodes multicast address 

ICMP Type = 134 

Data= options, prefix, lifetime, 
autoconfig flag - ■ I • . 



ARP Spoofing is now NDP Spoofing - Threat 



ARP is replaced by Neighbor Discovery Protocol 

• Nothing authenticated 

• Static entries overwritten by dynamic ones 

Stateless Address Autoconfiguration 

• Rogue RA (malicious or not) 

• All nodes badly configured 

• DoS 

• Traffic interception (Man In the Middle Attack) 
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ARP Spoofing is now NDP Spoofing - Mitigation RFC6104 

■ Manual configuration of host - discards RA's 

■ RA Snooping aka RA Guard 

■ Port ACL options - filter on RA packets (ICMP 134) 

■ Secure Neighbor Discovery SEND = NDP + crypto 

■ Host isolation : 

• Private VLAN works with IPv6 

• Port security works with IPv6 
■ • 802. lx works with IPv6 
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IPv6 Protocol Stack- ICMP 



ICMP 



ICMP Message Type 


ICMPv4 


ICMPv6 


1 Connectivity Checks 


X 


X 


Informational/Error Messaging 


X 


X 


Fragmentation Needed Notification 


X 


X 


1 Address Assignment 




X 


Address Resolution 




X 


Router Discovery 




X 


Multicast Group Management 




X 


Mobile IPv6 Support 




X 
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Filtering ICMPv6 Messages in Firewalls - RFC 4890 



1 Action 


Src 


Dst 


ICMPv6 
Type 


ICMPv6 
Code 


Name 


Permit 


Any 


A 


128 





Echo Reply 


Permit 


Any 


A 


129 





Echo Request 


Permit 


Any 


A 


1 


All 


No Route to Destination 


Permit 


Any 


A 


2 





Packet Too Big 


Permit 


Any 


A 


3 





Time Exceeded— 
TTL Exceeded 


1 Permit 


Any 


A 


4 


l&2only 


Parameter Problem 
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ICMPv6 - Message Types and Codes 


Q INFO 




Message Message Type 
Number 


Code Field Message Message Type 

Number 


Code Field 


i 


Destination Unreachable 


= No route to destination 

1 = Communication with destination administratively 

prohibited 

2 = Beyond scope of source address 

3 = Address unreachable 

4 = Port unreachable 

5 = Source address failed ingress/egress policy 

6 = Reject route to destination 


128 


Echo Request 


RFC 4443. Used for the pinq command 


129 


Echo Reply 


130 


Multicast Listener Query 


RFC 2710. Used for multicast group management 


131 


Multicast Listener Report 


132 


Multicast Listener Done 


133 


Router Solicitation 


RFC 4361 . Used for neighbor discovery and autoconfipu ration 1 


134 


Router Advertisement 


2 


Packet Too Big 


Set to (zero) by the originator and ignored by the receiver 


135 


Neighbor Solicitation 


3 


Time Exceeded 


= Hop limit exceeded in transit 

1 = Fragment reassembly time exceeded 


136 


Neighbor Advertisement 


4 


Parameter Problem 


= Erroneous header field encountered 

1 = Unrecognized Next Header type encountered 


137 


Redirect Message 


200 and 
201 


Private Experimentation 


RFC 4443 


100 and 
101 


Private Experimentation 


RFC 4443 


255 


Reserved for expansion of 
ICMPv6 informational 
messages 


RFC 4443 


127 


Reserved for expansion of 
ICMPv6 error messages 


RFC 4443 


jpj 


n 
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IPv6 - General Addressing 






IPv6 uses 128-bit addresses 

Hex presentation 

Addresses are aggregated into "prefixes" (for routing purposes) 

Address types : Unicast, Anycast and Multicast 

Address scopes : (link-local, global, etc.) 

Any given time, several IPv6 addresses, of multiple types and 

scopes are used - Examples 

• One or more unicast link-local address 

• One or more global unicast address 

• One or more link-local address 
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IPv6- 


-Address types 














| Address Type 


IPv6 prefix 


1 




Unspecified 


::/128 




Loopback :: 


::1/128 




Multicast 


FF00::/8 




Link-local unicast 


Link-local unicast 




Unique Local Unicast 


FE80::/10 


■ 


Global Unicast 


everything else 
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The IPv6 Address Interface ID 

■ Interface ID of unicast address may be assigned in different ways 

■ Auto-configured from a 64-bit EUI-64 or expanded from a 48-bit MAC 

■ Auto-generated pseudo-random number (to address privacy concerns) 

■ Assigned via DHCP 

■ Manually configured 

■ EUI-64 format to do stateless auto-configuration 

■ Expands the 48 bit MAC address to 64 bits by inserting FFFE into the middle 
• ■ To ensure chosen address is from a unique Ethernet MAC address W7 

The universal/local U/L bit is set to 1 for global scope and for local scope 
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IPv6 - Security Myths : Absence of Reconnaissance 

■ Default subnets in IPv6 have 2 64 addresses - 10 Mpps = more than 
50 000 years 

Reconnaissance techniques get smarter : 

■ IPv6 addresses embedding IEEE IDs (Mac derived info) 

■ Increased deployment/reliance on dynamic DNS 

■ Human factor : Easy to remember addresses (wordy, IPv4 last octet) 

■ Multicast : 

■ 3 site-local multicast addresses (not enabled by default) 
h FF05::2 all-routers, FF05::FB mDNSv6, FF05::1:3 all DHCP servers 

■ Several link-local multicast addresses (enabled by default) 
FF02::1 all nodes, FF02::2 all routers, FF02::F all UPnP, , 



IPv6 - Security Myths : Absence of Reconnaissance 



IEEE IOU 
24 bits 


FF FE 
16 bits 


LOWER 24 BITS OF MAC 
24 bits 








KNOWN / GUESS 


KNOWN 


NOT KNOWN 
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IPv6 - Security Myths : Absence of Reconnaissance 



Interface ID - lower 24 bits : 



MAC addresses can be consecutive in larger organizations and 
geographical areas 
VMWare ESX employs: 

• Automatic MACs: OUI 00:05:59, and next 16 bits copied from 
the low order 16 bits of the host's IPv4 address (search space: 
2n8) 

• Manually-configured MACs:OUI 00:50:56 and the rest in the 
I range 0x000000-0x3fffff (search space: 2n22) 
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IPv6 - Security Myths : IPSec will save the world 

■ IPv6 originally mandated the implementation of Ipsec - but not its 
use 

■ RFC 6434 "IPsec SHOULD be supported by all IPv6 nodes" 

■ IPSec comes with challenges: 



Interesting scalability issue (n2 issue with IPsec) 
Need to trust endpoints and end-users because the network 
cannot secure the traffic: no IPS, no ACL, no firewall 
Network telemetry is blinded: NetFlow of little use 
Network services hindered: QoS ? 
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IPv6 -Transition Mechanisms 



Dual Stack 



Tunneling Services 



IPv4 



IPv6 







Recommended Enterprise Co-existence strategy 




IPv4 over IPv6 



IPv6 over IPv4 



Connect Islands of IPv6 or IPv4 



Translation Services 



^ .JEyi - 

Connect to the IPv6 community 



Business Partners 
Government Agencies 
International Sites 
Remote Workers 
Internet consumers 



Dual Stack- intro 



Each node's IP stack supports both IPv4 and IPv6 

Domain names include both A and AAAA records 

IPv4 or IPv6 are used as needed or preferred - eg Happy Eyeballs 

Main operating systems include native IPv6 support enabled by 

default and prefer IPv6 over IPv4 

Dual-stack is the recommended strategy for hosts 
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Dual Stack - Threats and mitigation 



Lack of awareness that IPv6 is enabled - even on IPv4 only networks 
Rogue IPv6 Router uses RA's to configure IPv6 stack 
Host security mechanisms not IPv6 aware 
IPv6 used to evade network security controls 



Disable IPv6 stack on host if not used 
Create IPv6 control policy- host and network 
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Tunnels- Intro 
Transport IPv6 packets over IPv4 ^ 

■ Configured: Manual configuration 

• 6in4 

• Tunnel broker 

■ Automatic: Tunnel end-points derived from the IPv6 addresses 

• ISATAP 

• Teredo 

• 6to4 
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Tunnels -Threats 



ISATAP : Intra-Site Automatic Tunnel and Addressing Protocol 



IPv4 infrastructure looks like a Layer 2 network to ALL ISATAP hosts 

in the enterprise 

No authentication in ISATAP— rogue routers are possible 

Windows default to isatap.example.com 

IPv6 addresses can be guessed based on IPv4 prefix (scanning is 

back!) * 
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Tunnels -Threats 



Toredo : 



IPv6 over UDP (port 3544) - FW just sees IPv4 UDP traffic 
Hosts behind a NAT may become reachable from the public Internet 
Windows systems resole "teredo.ipv6.microsoft.com" - 
impersonate a Teredo server if he can attack the DNS 
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Tunnels - Mitigations 



Toredo : 



Filter IPv4.dst== known teredo servers && UDP.DstPort == 3544 



ISATAP : 



Filter IPv4.Protocol== 41 

Check DNS logs for ISATAP resolving 










How imminent are IPv6 attacks ? 

■ The tools : 

■ THC-IPv6 by Van Hauser 

■ SI6 IPv6 Toolkit by Fernando Gont 

■ The exploits : 

■ Zeus botnet is IPv6 compliant 
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Key observations 

IPv6 robustness 

■ Implementations have not really been the target of attackers, yet 

■ Only a handful of publicly available attack tools 

■ Lots of vulnerabilities and bugs still to be discovered. 

IPv6 control policy points 

■ IPv6 inspection is not broadly supported in security devices 



Education/Training/ Awareness 
■ Pushing people to "Enable IPv6" as turn-key solution doesn't work 
treating awareness and expertise Bl | iaB| 



Resources 



RFC's are your friend 

NIST Special Publication 800-119. Guidelines for the Secure 

Deployment of IPv6 

Cisco.com/go/ipv6 

6lab.cisco.com 

IPv6 Security - Erick Vyncke and Scott Hogg @ Cisco Press 
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